Interesting. I'm not clear where this is documented, but I'll see what my RACF admin has to say. Basically, I tried in our prod LPAR to backup (DUMP) a file that was currently open to CICS; thus the TOLERATE(ENQF). But I could not perform it because...
ICH408I USER(DVFJS ) GROUP(DEPT9971) NAME(FRANK SWARBRICK ) 928 STGADMIN.ADR.DUMP.TOLERATE.ENQF CL(FACILITY) INSUFFICIENT ACCESS AUTHORITY FROM STGADMIN.ADR.** (G) ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Thanks! Frank -- Frank Swarbrick Applications Architect - Mainframe Applications Development FirstBank Data Corporation - Lakewood, CO USA P: 303-235-1403 On 2/3/2011 at 12:36 AM, in message <[email protected]>, "R.S." <[email protected]> wrote: > Frank Swarbrick pisze: >> STGADMIN.ADR.DUMP.TOLERATE.ENQF is required for a user to use TOLERATE(ENQF) > on a DSS dump. What is the security issue this is "protecting" against? Or > is it just more of a data integrity issue? > > No. > An access to the resource STGADMIN.ADR.DUMP.TOLERATE.ENQF is NOT > required to use TOL(ENQF). All the > STGADMIN.ADR.everything-but-second-STGADMIN resources are used to > *optionally* deny access. > > In other words: > STGADMIN.ADR.non-STGADMIN - no profile means access for everyone. > STGADMIN.ADR.STGADMIN.** - no profile means no access. > > That's big difference. "Dangerous" functions are denied by default, > while other functions CAN be denied (controlled) if you wish so. > IMHO it's state of the art usage of RACF profiles. >>> The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
